On Wed, 19 May 2010, J.Witvliet at mindef.nl wrote: > Hi Jerry, > > Just a general remark. > When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about... > > Now the default is "allow", and only doing some SNAT and DNAT rules... > > hw And as a follow up remark, it would be advisable to have a network policy in place that will help to define your rules. For example within a university environment like mine, we allow everything in by default except those services for which we want to explicitly block. Those that we want to explicitly block are documented and we run tests to ensure that our firewall is working as expected on a regular basis. Define your "business rules" first and make your firewall rules follow suit. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director HPC Coordinator Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpeltier at sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_spam at hotmail.com TEAMWORK There's power in numbers. Learn to work together.